Bug#1088656: apt: Regression with keyrings not ending in .gpg/.asc
On Fri, Nov 29, 2024 at 03:31:58AM +0100, Guillem Jover wrote:
> Package: apt
> Version: 2.9.15
> Severity: serious
> Justification: I pondered initially on important, but given that this
> is a regression that prevents repo usage, it seems worth serious to me.
>
> Hi!
>
> The latest release made some repos stop working as apt is now refusing
> to use the specified keyring when it ends in «.pgp»
You essentially exploited a bug in apt-key where it was not correctly
checking single signing keys and worked around the documented behavior.
This poses a tricky question for us because it means there's not just
.pgp possibly, maybe someone named their keys .banana.
But I think we can fix this: We move the else if for .asc up,
drop the extension check on the binary file verification and add
a warning to use `.pgp` if you specify a weird one like `.banana`
>
> ,---
> …
> Err:4 https://…/…; … InRelease
> The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …
> …
> Warning: https://…/…/InRelease: The key(s) in the keyring /usr/share/keyrings/….pgp are ignored as the file has an unsupported filetype.
> Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://…/…; … InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …
> Warning: Failed to fetch https://…/…/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY …
> Warning: Some index files failed to download. They have been ignored, or old ones used instead.
> `---
>
> Enforcing «.gpg» (and «.asc») as the only allowed extensions seems
> wrong, because «.gpg» is an implementation specific name, which does
> not match the standard (OpenPGP) this is based on, where the more
> neutral name to use is «.pgp». So either «.pgp» should be explicitly
> allowed or the extension and format checks should be removed, as the
> OpenPGP implementation in use should be able to reject unknown
> keyrings.
Tell that to GnuPG :D
$ gpgv --keyring $PWD/COPYING --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib//apt/lists/_etc_apt_mirrors.list_dists_plucky_InRelease
gpgv: Signature made Fr 29 Nov 2024 08:41:32 CET
gpgv: using RSA key F6ECB3762474EDA9D21B7022871920D1991BC93C
gpgv: [don't know]: invalid packet (ctb=46)
gpgv: keydb_search failed: Invalid packet
gpgv: [don't know]: invalid packet (ctb=46)
gpgv: keydb_search failed: Invalid packet
gpgv: Can't check signature: No public key
$ gpgv-sq --keyring $PWD/COPYING --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg /var/lib//apt/lists/_etc_apt_mirrors.list_dists_plucky_InRelease
gpgv: error: Loading keyring "/home/jak/Projects/Debian/apt/COPYING"
gpgv: because: EOF
gpgv: error: Reading the keyring "/home/jak/Projects/Debian/apt/COPYING"
gpgv: because: Loading keyring "/home/jak/Projects/Debian/apt/COPYING"
gpgv: because: EOF
gpgv: Signature made Fri Nov 29 08:41:32 2024 +01:00
gpgv: using RSA key F6ECB3762474EDA9D21B7022871920D1991BC93C
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>"
>
> Ideally «.pgp» would be allowed everywhere currently expecting «.gpg»,
> including say «Release.gpg» (even if that's considered deprecated).
> And apt would encourage to use the vendor-neutral extension.
Release.pgp won't happen.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: